Georgia Tech team develops new kind of mobile security

As more business is done on smartphones and tablets, such devices have become a target for crooks seeking to pilfer corporate data or personal financial information. Securing these devices against attacks has become big business.

Now a team of Georgia Tech researchers has developed a security system — dubbed LatentGesture — that monitors how a user taps and swipes a mobile device. If the movements don’t match the owner’s unique touch signature, the system recognizes the differences and can be programmed to lock the device.

LatentGesture goes beyond unlocking the mobile device — the technology continuously monitors usage patterns so a device cannot be taken over by an unauthorized user even after it has been unlocked.

Current authentication methods, such as numerical or gesture-based passwords, are easy to steal or guess.

“It’s pretty easy for someone to look over your shoulder while you’re unlocking your phone and see your password,” said Samuel Clarke, a Georgia Tech College of Computing student on the research team. “With our system we can add another security layer by monitoring to see if the user presses buttons with the same pressure and speed as the authorized profile.”

The technology has corporate applications. It can help businesses secure employee cellphones, tablet computers and other mobile devices. This is important as companies allow employees to use their personal mobile phones for work purposes.

LatentGesture learns a person’s “touch signature,” then continuously compares it to how the current user is interacting with the device, said Polo Chau, a Georgia Tech College of Computing assistant professor who led the study. That signature includes multiple signals such as the speed and pressure applied to user interfaces — such as buttons, sliders, scroll bars and track boxes.

“Just like your fingerprint, everyone is unique when they use a touchscreen,” Chau said. “Some people slide the bar with one quick swipe; others gradually move it across the screen. Everyone taps the screen with different pressures while checking boxes.”

To reduce battery drain, the researchers are working on more intelligent monitoring — doing signal collection only when the user is touching the device.

The GT team, which includes Premkumar Saravanan and Hongyuan Zha, focused on smartphones and tablet computers because they are ubiquitous computing devices. Such devices also tend to be shared among friends or family members, increasing the need for security.

Using the touch signature, LatentGesture can help prevent unauthorized in-app purchases. The technology can differentiate between the device owners and, say, their daughter — allowing the child access to the device, but not the app store.

Securing the mobile device is an escalating problem. As companies get rid of desktops and laptops, data and other sensitive information is stored on mobile devices, Judge said.

“The only thing typically standing between the attacker and that information is a four-digit passcode,” he said.

While LatentGesture’s touch signature approach is innovative, it must make sure it can account for subtle variations in speed and touch pressure. The speed with which a user taps or swipes their touch screen is different during the workday when the user is attentive, versus at night after a few drinks, Judge said.

LatentGesture technology can be baked into a mobile operating system (such as Android or iOS), so the smartphone or tablet starts learning and monitoring the owner’s touch signature from the time she sets up the device.

The technology can also be layered into mobile banking and other apps that require extra security. Future applications include the desktop, where the technology can monitor cursor speed and website navigation patterns to identify the user.